In a previous post called Managing NSX Edge and Manager Certificates (SKKB1012) we looked into NSX Edge self-signed certificates, certificates signed by a Certification Authority (CA), and certificates generated and signed by a CA and how to use them in NSX. We briefly mentioned a functionality called Global certificates as well.
NSX Global Certificate basically is a certificate signed by your Certificate Authority (CA) and this certificate is imported at a NSX “global level”. By being at a global level, it is available to all NSX Edges in your inventory. Unfortunately neither the NSX Manager User interface (UI) or the NSX tab of the vSphere Web client UI expose options to administer these global certificates. In order to create global certificate, import it into NSX Manager, use it in SSL VPN or an Application Profile you must create it via API call.

These are all global certificates and available by default on every edge.
Note: you do not have an option to import or create your own global certificate.
So lets’ assume you have your onw, company signed certificate that you want to import in the list.
You can do this my navigating to Settings > Certificates

Use Case

Lets look into an use case where importing the certificate manually is not possible/desired and we have to find another way by using global certificates.

The Kaloferov.com company has the following use:

The company is using vRealize Automation (vRA) to deploy applications via multi-machine blueprints (MBP).

As part of your MPB blueprint the company has an NSX ON-Demand Load Balancer being created with every blueprint instance/deployment.

Company wants to have NSX SSL VPN Plus configured on all Load Balancer Edge .

Company wants to use it’s own company signed certificate for the NSX SSL VPN on each edge.

This would basically mean that if a 100 instances of your vRA application gets deployed, a 100 edges will need manual NSX SSL VPN Certificate configuration.
Lets see what we can do to find a solution to the company’s problem.

Solution

To resolve the company’s problem we will do the following:
-Use NSX Global Certificates.
-Import our company signed SSL Certificate into NSX and mark it as global certificate. Afterwards all edges have that certificate available for selection during NSX SSL VPN Plus configuration
-Will automate the configuration of the NSX SSL VPN Plus so that its configured during VPN provisioning time.

Lets’ first take a look again at the NSX SSL VPN Plus configuration.
If we select Use Default Certificate, the edge will sue default NSX Edge appliance certificate. This means during or after our VM provisioning, when we enable the NSX SSL VPN Plus , we will need to change the default certificate.

For this example the Kaloferov.com company has created a wildcard certificate that will be imported in NSX as global certificate and sued for NSX SSL VPN Plus configuration. We are suing wildcard one as during blueprint provisioning time edges will get randomly generated names and IP’s form our DHCP system.

We need to modify the body to fit the primary certificate, the primary certificate private key and a pass phrase.
For {scopeId} we will use globalroot-0 which means Global Certificate
So lets run the REST command to import the certificate

You can validate the change by doing a REST like this:
GET /4.0/edges/edge-4/sslvpn/config/server

Or go to the manager and validate that the NSX SSL VPN Plus is now configured and using the company approved certificate and algorithm.

Now you can easily take those rest calls and hook to the vRA Blueprint deployment using vRA Event Broker. Then use vRO to run the REST calls and make the appropriate changes to all newly deployed NSX On-Demand Load Balancers (edges)